-
Notifications
You must be signed in to change notification settings - Fork 16
/
test.rego
68 lines (57 loc) · 2.08 KB
/
test.rego
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
package compliance.cis_eks.rules.cis_4_2_5
import data.kubernetes_common.test_data
import data.lib.test
test_violation {
test.assert_fail(finding) with input as rule_input(violating_psp)
test.assert_fail(finding) with input as rule_input(violating_psp2)
test.assert_fail(finding) with input as rule_input(violating_psp3)
test.assert_fail(finding) with input as rule_input(violating_psp4)
}
test_pass {
test.assert_pass(finding) with input as rule_input(non_violating_psp)
test.assert_pass(finding) with input as rule_input(non_violating_psp2)
}
test_not_evaluated {
not finding with input as {"type": "no-kube-api"}
}
rule_input(resource) = test_data.kube_api_input(resource)
violating_psp = {
"kind": "Pod",
"metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"},
"spec": {"containers": [{"name": "container_1", "securityContext": {"allowPrivilegeEscalation": true}}]},
}
violating_psp2 = {
"kind": "Pod",
"metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"},
"spec": {"containers": [
{"name": "container_1", "securityContext": {"allowPrivilegeEscalation": true}},
{"name": "container_2", "securityContext": {"allowPrivilegeEscalation": false}},
]},
}
violating_psp3 = {
"kind": "Pod",
"metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"},
"spec": {"containers": [
{"name": "container_1", "securityContext": {"allowPrivilegeEscalation": true}},
{"name": "container_2", "securityContext": {}},
]},
}
violating_psp4 = {
"kind": "Pod",
"metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"},
"spec": {"containers": [
{"name": "container_1", "securityContext": {"allowPrivilegeEscalation": true}},
{"name": "container_2", "securityContext": {}},
{"name": "container_3"},
]},
}
non_violating_psp = {
"kind": "Pod",
"metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"},
"spec": {"containers": [{"name": "container_1", "securityContext": {"allowPrivilegeEscalation": false}}]},
}
non_violating_psp2 = {
"kind": "Pod",
"metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"},
"spec": {"containers": [{"name": "container_1", "securityContext": {}}]},
}